Part 1 of the 2-part IPsec Series
The new Cisco Catalyst 9000X with IPsec support is finally a reality. I will quickly cover three use cases that are relevant to branch deployments.
Cisco introduced the Catalyst 9000X series, which includes the C9300X, C9400X, C9500X, and C9600X. I will mostly focus on the C9300X which supports IPsec today as of IOS-XE 17.6.2 with Advantage licensing. The C9400X will support IPsec soon.
The C9300X comes with a new enhanced Unified Access Data Plane (UADP) ASIC called the UADPsec. This new ASIC allows for industry-first capabilities that allow the switch to perform up to 100G of Layer 3 hardware encryption and up to 1 Tbps of stacking. It also helps enhance support for the application hosting capabilities common to all Catalyst platforms.
The good news is that the C9300X supports standards-based IPv4/IPv6 IPsec (up to 128) tunnels. It also has support for NAT Traversal, Multicast routing, Layer 3 Segmentation over IPsec, Layer 2 extension over IPsec, and even EVPN over the tunnel.
So, why is this needed? If you are an SD-WAN customer, then you already have an architecture in place. The Catalyst 9300X is not meant to be an SD-WAN replacement and it is an independent solution. It is meant for customers with the intention of reducing the number of devices at the branch office. For example, removing a router and/or firewall while creating a secure tunnel connection. If so, then look no further. The Catalyst 9300X can help you achieve it.
The Catalyst 9300X can help set up multiple secure tunnels. There are three common use cases. The first is Site-to-SIG. The Secure Internet Gateway (SIG) support can be to Umbrella, Zscaler, or any other third-party provider. The second is Site-to-Cloud, which can establish a secure tunnel to your Cloud provider of choice. The third use case is Site-to-Site. The C9300X can establish a secure tunnel to your Data Center firewall, router, or even another C9300X switch. These are at least three reasons why this platform is right for you.
In my next post, I will show how to onboard the C9300X switch using Cisco DNA Center Plug and Play (PnP). In addition, I will show how to create secure tunnels to the Umbrella SIG environment.
Learn more about the Cisco Catalyst 9300
Wow it sound great!
Great for the branch office to reduce complexity and pinch points
Great information..thanks for detailing
It’s looking good.
Awesome for this great development
Create feature, please create a demo on video.
It’s great ?.
Zscaler is missing a “c”
It is zscaler not zsaler
thank you Philip – nice catch
So it is sort of a sdwan deployment if I can do on branch swith why I need another sdwan solution. Save some money deploying that at the branch make sense.
Thanks for sharing, Orestes – very useful indeed. Will be following your next post with interest.
Is this feature inclusive within the DNA Advantage license?
Yes, this is a DNA Advantage feature. Also note, this requires HSEC token to be activated.
I can’t belive that network industry are changing at this rapid pace.now the definition of Router / switch are changed for ever. GREAT JOB
Great one… looking forward to your next post.
Hi.
I would be happy to read the part 2 🙂 I have a customer who may need high speed IPSec tunnels for remote high res. video, would it support multicast embedded in IPSec tunnels through VTI interfaces ?